Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
First : mysql is deprecated. you should use mysqli.
Second : What kind of type is user?
if is int :
(object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or
(procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps
Related
I have made a database where email id and corresponding name and password is stored. I have successfully obtained a form's data.. where the user enters updated name and password. But the problem is occuring with the query which is as follows
$db = mysqli_connect(all details)...
$name = $_POST['name'];
$password = $_POST['password']:
$email = $_POST['email'];
$query = "UPDATE mytable SET name='$name',password='$password' WHERE emailid='$email'";
$result = mysqli_query($db,$query);
Though I am getting all form values succesffuly and until and unless I put the 'where' clause.It works.But obviously updates all values. i want it to work with where..but so far unsuccessful :(
you need to put {} around the variables if its surrounded by quote ''
so your query should look like this
$query = "UPDATE mytable SET name='{$name}',password='{$password}' WHERE emailid='{$email}'";
$result = mysqli_query($db,$query);
EDIT : also before saving data to database make sure to filter and validate data
You need to make sure that emailid exists in mytable, you truly intended to filter by it and in your database scheme it has a type which supports the posted data. It seems that you are sending strings, like 'foo#bar.lorem' and your emailid is an int or something in the database scheme. Check it by running
desc mytable;
You need to put curly brackets around variables if you use apostrophe around them, but as a matter of style I like to close the string and attach the $variable with a . as this coding style is closer to me personally.
If everything fails, see what is generated, by echoing out the query string, try to run that directly, see what the error is and fix until...
... until it is fixed.
Also, you do not encrypt the password and your code is vulnerable to SQL injection too. Please, read about password encryption and SQL injection and then protect your project against these dangers.
You can write your statement as:
$query = "UPDATE mytable SET name='".$name."',password='".$password."' WHERE emailid='".$email."'";
using . as string concatenating operator
I am trying to get the reputation of a union (everyone who is in the unions reputation added)
$the_member = mysql_query("SELECT `reputation` FROM `stats` WHERE `id` in (SELECT `id` FROM `user` WHERE `union`='".$id."')") or die(mysql_error());
Thats what I have So far and if you echo it its just blank, no errors and no text.
If you read the PHP doc for mysql_query, you'll see an example that shows you how to use it. Basically you need to use mysql_fetch_assoc (or some similar function) to get the actual data, like this:
while ($row = mysql_fetch_assoc($the_member)) {
echo $row['reputation'];
}
Warning: try not to use mysql_query, it's deprecated. Use mysqli_query, or better yet, PDO. It's all in the link above. Also, you need to make sure the $id value doesn't contain anything that would break your query. This is called "SQL injection", and in certain cases it lets anyone run an arbitrary query. Consider the case when $id == "'); drop table user; --"
I am lost here please help
my data base table will not update when I use this code
$sqlpassword = "UPDATE login SET password='$hashedP' WHERE id='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
I have tried to look around maybe i'm not seeing it but im sure its right
password is a reserved word in MySQL. You have to wrap fieldnames in backticks so that MySQL doesn't see it as a SQL command.
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
Don't use the LIMIT keyword on UPDATE Statement.
Just use
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id'";
Disclaimer: Make use of Prepared Statements to avoid SQL Injection Attacks.
I worked it out sorry for wasting your time
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>
was not putting in
edit.php?c=<?php echo $log_company ?>
so form was going to edit.php not edit.php?c=truestory
Check the following:
You are making commit after this update statement.
Check why you need the limit keyword, else remove it.
Check if the id is a number in your table structure or string, since in this update you are dealing with it as string.
I am using php to update a mysql DB within a function. I am able to echo my variable names and was able to return the variables on the php page. This proves to me that my variables are working correctly.
Now when I use the update command, my DB does not respond. Yes, I have connected to the DB and it all works.
This is what I am using to update:
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = $username");
The value for $username should be wrap with single quotes.
mysql_query(" UPDATE table_name
SET int_field = '$int_value'
WHERE username = '$username'");
SideNote: your code is vulnerable with SQL Injection. Please read the article below to know how to secure your code,
Best way to prevent SQL injection in PHP?
You need to quote all of your input to the query. This prevents SQL injection, but also simple syntax errors that would occur if your user innocently inputs a special character that would break your query.
mysql_query('UPDATE table_name '.
'SET int_field = "'.mysql_real_escape_string($int_value).'" '.
'WHERE username = "'.mysql_real_escape_string($username).'"');
This is the correct STRUCTURE of how to update with a variable in php
mysql_query("UPDATE tablename SET password='". $NPass ."' WHERE custID='$num'");
Try this :
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = '$username'");
I had the same problem and found that the SET value doesn't need single quotes and that the WHERE clause does ...
mysql_query("UPDATE table_name SET int_field=$int_value
WHERE username='$username'");
.. seemed to work for me.
I am using following method for MySQL queries:
$sql = "SELECT * FROM mytable WHERE `myTableId`=" . (int)$myId;
Is this a completely safe method or is there a way to inject some sql into the database with this method?
Any better alternative?
It can lead to unintended consequences, e.g.
$myId = 'blahblahblah';
would result in
... WHERE myTableId=0
maybe not such a big deal in this case, but if (say) you're doing a permissions systme and "super-duper-ultra-high-level-user-with-more-power-than-god" has permission level 0, then it's a nice way to bypass security.
If you truly want to avoid SQL injection, your best bet is to use PDO and prepared statements. check out http://www.php.net/pdo and http://www.php.net/manual/en/pdo.prepare.php
Thís should be perfectly save, without any drawbacks, as long as the input can be casted to int.
make it like this
$sql="select `username` from `users` where id='$newid';";
mysql_query($sql);
here $newid is the int value.
The symbol used before and after username, to get this you have to press the key just below esc .
I would probably use sprintf instead - but I dont see that it is much different from what you are doing. Placing the integer in quotes may also help.
$sql = sprintf("SELECT * FROM mytable WHERE `myTableId`='%d'", $myId);
Should probably add that you may want to deal with the case when conversion to integer fails. So dont have a table zero.
No need for the Int if you are just worrying about the mysql injection.
To prevent mysql injection you can use mysql_real_escape_string.
What you have right now will block all mysql injection if your mysql condition is only for int but if the situation is like this:
$username = $_GET["username"];
SELECT * FROM customers WHERE username = '$username'
if the $username value is *\' OR 1* your in trouble or i should say your dead
if the $username value is *\'; DELETE FROM customers WHERE 1 or username = * your very dead + doomed
To prevent this from happening use mysql_real_escape_string
$username = mysql_real_escape_string($_GET["username"]);